Page MenuHomePhabricator

CVE-2024-23175: FlexDiagrams XSS bug
Closed, ResolvedPublicSecurity

Description

Steps to replicate the issue (include links if applicable):

MediaWiki-extensions-FlexDiagrams
#Mermaid

Using Flex diagrams, it is possible to retrieve a users CSRF token and perform actions on a users account.

On the page https://cheekyfactor.com/wiki/index.php/Mermaid:Test_page I have created a Mermaid diagram using:

sequenceDiagram
participant Alice <u>test</u><img src=x onerror=alert(document.domain)>foo

What happens?:

As can be observed, the alert popup indicates it is possible to inject and execute attacker-controlled JavaScript.

This could allow an attacker can also retrieve the victim's CSRF token and perform action on behalf of the victim's account, to demonstrate the scenario the researcher has provided payload that creates a new page using victim's account

What should have happened instead?:

It shoudn't run Javascript

Software version (skip for WMF-hosted wikis like Wikipedia):

Product Version
MediaWiki 1.39.5
PHP 8.1.26 (litespeed)
MySQL 5.6.23-cll-lve
ICU 63.1
Lua 5.1.5
Pygments 2.11.2
Mermaid 3.1.0
Flex Diagrams 0.5.1

Other information (browser name/version, screenshots, etc.):

This could allow:

  • Session Hijacking: An attacker might be able to steal the user's cookies if no proper flags are set. As an example, the "HttpOnly" flag.
  • User Impersonation: An attacker might be able to interact with user data or settings and in certain scenarios bypass the CSRF protection by deploying a payload that retrieves the CSRF token automatically and submits legitimate requests to the endpoint.
  • Client-Side Attacks: An attacker is also able to inject a JavaScript payload that interacts with the victim's browser allowing for the delivery of exploits and thus affecting the end user's perimeter.

Details

Risk Rating
Medium

Event Timeline

Pppery renamed this task from FlexDiagram security bug with CSRF data compromised. to FlexDiagrams XSS bug.Dec 11 2023, 3:39 PM
Pppery set Security to Software security bug.
Pppery added projects: Security, Security-Team.
Pppery changed the visibility from "Public (No Login Required)" to "Custom Policy".
Pppery changed the subtype of this task from "Bug Report" to "Security Issue".
Pppery added a subscriber: Yaron_Koren.
Pppery subscribed.
Mstyles changed Risk Rating from N/A to Medium.Dec 11 2023, 7:51 PM
Mstyles added subscribers: Sahajsk, Mstyles.

As this extension is not run in WMF production, I am untagging the security team. I will leave this ticket private as it is an XSS.

Yaron_Koren claimed this task.

It would be great to get confirmation, but I'm pretty sure this problem is indeed fixed, so I'm marking it as "Resolved".

Apologies for the delay, that seems to have resolved the issue. Thank you for the speedy response.

mmartorana renamed this task from FlexDiagrams XSS bug to CVE-2024-23175: FlexDiagrams XSS bug.Jan 17 2024, 4:19 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 17 2024, 5:33 PM